zergboard-skill

Fail

Audited by Snyk on May 15, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.90). The prompt instructs users to run a login command with a plaintext --password argument and to copy the API token verbatim into a local config.json, which requires handling and embedding secret values directly (high exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill's runtime code (zergboard_skill.py) and SKILL.md show it makes HTTP requests to the Zergboard API (default https://zergboard.fly.dev) to fetch user-generated content — boards, cards, descriptions, and comments — which the tool consumes and uses to resolve targets and drive actions (e.g., resolve_board/resolve_card, comments, create/update/move), so untrusted third-party content can materially influence behavior.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
HIGH
Analyzed
May 15, 2026, 09:06 AM
Issues
2
Security Audit — snyk — zergboard-skill